Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers. At this point we do not have evidence that any customer website was improperly accessed. We do not store any full credit card numbers, and so we’re not aware that any credit card information that can be used for fraudulent charges was a part of this incident
Please know that we are proactively moving to address the situation and your security is incredibly important to us. Weebly’s security team is taking steps to further enhance our network security and protect our customers. In addition to the password reset and new complex password set-up, we also now have a log-in history dashboard that includes location and IP address of recent log-ins to your Weebly account. This is now available in under Account→ Log In History.
Weebly remains deeply committed to serving our customers – and to protecting the accounts on our platform. We will be updating this article with any new information on the situation.
Important: If you receive an email that appears to be from Weebly saying your website is being shut down or asking you to update your account information, please do not take any action. These emails are not being sent by Weebly. We will never ask you to click on a link that isn't weebly.com.
How do I know if my account was affected?
At this time we believe this affects customers who registered on our platform before March 1, 2016. We are notifying affected customers by email. If you are unsure about when you signed up, we recommend resetting your password. You can reset your password here.
When and how did you find out about this?
Weebly recently became aware within the last few days that an unauthorized party has obtained email addresses and/or usernames, IP addresses, and encrypted (bcrypt hashed) passwords for a large number of our customers. We immediately launched an investigation, confirmed the authenticity of certain data in the file and began taking steps to further enhance our network security and protect and inform our customers.
Who is responsible for this?
The Weebly security team along with expert security consultants are actively working to identify how this happened.
What protection features do Weebly accounts have?
Accounts set up after June 1, 2011 have an encrypted password which security experts rank as an 8/10 on a safety scale. These passwords are encrypted using salted, bcrypt hashes, which helps protect them by encrypting the data (hashing) and adding a string of random information to each password (salting). This makes these passwords very hard to guess or crack. Accounts set up before June 1, 2011 are using an older hashed password format, and these passwords have already been automatically reset as a safety precaution.
What measures are you taking to further enhance security?
Your account security is very important to us and we are proactively moving swiftly to address the situation. Weebly’s security team is taking steps to further enhance our network security to protect our customers. We are also working with a third party team of security experts to investigate the incident. In addition to the password reset, we’re also implementing tougher password requirements and a new dashboard that allows customers to see and monitor their most recent log-in history. Weebly remains deeply committed to serving our customers – and to protecting their websites and personal information.
What if I don’t remember my username or don’t use my Weebly account anymore?
During log-in, there is a prompt for people who have have forgotten their username. You can reset that through an email link. If you don’t use your Weebly account but used your Weebly password across several accounts, security experts suggest changing the duplicate passwords to a unique password.
Are any of my other accounts (outside of Weebly) at risk?
No. However, if you are using the same password on multiple accounts, we would suggest resetting your passwords. Security experts suggest having a unique password for each account you log into online.
How secure is my Weebly password?
The vast majority (all accounts after June 1, 2011) of Weebly customer passwords are encrypted using salted, bcrypt hashes, which helps protect them by encrypting the data (hashing) and adding a string of random information to each password (salting). This makes these passwords very hard to crack. Users who want to take additional steps to protect their account can reset their password, preferably with something complex and unique to your Weebly account. A small number of early accounts that have not logged in recently were encrypted using an MD5 hashed password, and in those cases we have initiated a forced password reset to help protect them.
Were any of my ecommerce customers’ information involved?
No, not to our knowledge. The file that was provided to us does not include information from our customers’ customers or any financial information that could be used for fraudulent charges. Weebly does not store full credit card numbers.
What does this mean for me?
To our knowledge, websites were not affected. Changing your password will help protect your data online. There are other ways customers can protect themselves by being on the lookout for suspicious emails. Here’s a good resource for information on online and email security.
Why haven’t I received a notification email from Weebly regarding my account?
Only affected customers will be notified. We’ve begun the notification process. Due to size of our customer base, this process will take a few days. In the meantime, we recommend you reset your password and submit any questions you have through this link. We will help answer them as quickly as possible.
I’m having trouble resetting my password and/or I still have questions. Where can I get additional support?
If you still have questions, we are here to help answer them as quickly as possible. You can submit your question through this link.